Solved: multikv and timechart | changing the default label...

anuragkapur · ‎03-12-2013

I am trying to plot the CPU utilisation of all processes on a Solaris server using the following search query:
index="os" host="myhost" source="ps" | multikv fields PID pctCPU COMMAND forceheader=1 | timechart avg(pctCPU) by PID

This works, but I would like the lines in my chart to be labelled with the COMMAND field rather than PID. I can't change the "by" clause to COMMAND as more than one process has the same value for the COMMAND field.

Could someone please suggest a way of achieving this?

martin_mueller · ‎03-12-2013

You could append the command to the pid and use that as your grouping field.

View solution in original post

martin_mueller · ‎03-12-2013

You could append the command to the pid and use that as your grouping field.

anuragkapur · ‎03-14-2013

As suggested, this worked and gave me the result I wanted: index="os" host="myhost" source="ps" | multikv | eval pidAndCommand=PID." ".COMMAND | timechart avg(pctCPU) by pidAndCommand

multikv and timechart | changing the default label of line in multiline chart with another dynamic value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!